[openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

Cédric Jeanneret cjeanner at redhat.com
Wed Jun 6 05:27:57 UTC 2018



On 06/06/2018 06:59 AM, Mike Carden wrote:
> 
>     \o/ - care to add the links on the doc? Would be really helpful for
>     others I guess :).
> 
> 
> Doc? What doc?

This one: https://docs.openstack.org/oslo.privsep/latest/index.html

I just created https://review.openstack.org/#/c/572670/

So. back to business: we need some spec and discussions in order to get
a consensus and implement best practices.

Using privsep will allow to drop the sudo part, as it uses rootwrap
instead. This way also allows to filter out the rights, and we can
ensure we actually don't let people do bad things.

The mentioned blog posts also points to the test process, and shows how
we can ensure we actually mock the calls. It also proposes a directory
structure, and stress on the way to actually call the privileged methods.
All of that makes perfectly sense, as it has a simple logic: if you need
privileges, show them without any hide-and-seek game.

Those advice should be followed, and integrated in any spec/blueprint
we're to write prior the implementation.

Regarding the tripleoclient part: there's currently one annoying issue,
as the generated files aren't owned by the deploy user (usually named
"stack").
This isn't a really urgent correction, but I'm pretty sure we have to
lock any change toward a "quick'n'dirty resolution".

Cheers,

C.

> 
> --
> MC
>  
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
Cédric Jeanneret
Software Engineer
DFG:DF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180606/a0353c27/attachment.sig>


More information about the OpenStack-dev mailing list